Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Programs and Task Manager won't launch


  • This topic is locked This topic is locked
12 replies to this topic

#1 Ybsorcc

Ybsorcc

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 08 March 2011 - 01:24 AM

As of three days ago, my fairly new pc (4 months old) is suddenly behaving strangely. When I start from a cold boot everything at first works just fine. But after roughly an hour the following symptoms pop up:

  • Many of the programs will no longer respond
  • The browser doesn't fully freeze, but you can't load any new web pages
  • No new programs not already running can be run - when you select a program, the cursor goes to an hourglass for a few seconds, but then hangs
  • The Task Manager can no longer be loaded (it can prior to this time, but after about an hour, you can no longer launch it
  • You can't fully shut down - programs may close, but ultimately, the shutdown process hangs

I've attached the logs from OTL and Hijack this utilities. I'm using Symantec Endpoint Protection as my virus software (version 11.0.4202.75)Looking forward to see what can be determined from this.

Ybsorcc

Attached Files


Edited by Ybsorcc, 08 March 2011 - 01:26 AM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:54 PM

Posted 09 March 2011 - 08:56 PM

Please run the following:


Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Ybsorcc

Ybsorcc
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 10 March 2011 - 10:37 AM

Thanks Catbyte for your help. I've run the GMER toolkit and have attached the log as a text file. I look forward to seeing what you can find.

Attached Files



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:54 PM

Posted 10 March 2011 - 10:54 AM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Ybsorcc

Ybsorcc
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 10 March 2011 - 08:25 PM

I ran combofix and it didn't say anything about loading the Microsoft Recover Console and basically didn't do anything beyond bringing up a progress bar with "combofix" written above it. After the progress bar got to 100% the process seems to stop as if it were done. nothing else happens and a c:\combofix.txt file is not created. Thoughts?

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:54 PM

Posted 11 March 2011 - 09:23 AM

Delete the copy you have on your desktop and download a fresh copy but rename it to iexplorebefore saving it to your desktop.

Make certain your security programs are disabled an try running it again

If it still won't run, try running it in safe mode:

reboot the computer > tap F8 repeatedly until an advanced menu appears > arrow up to safemode wth networking

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Ybsorcc

Ybsorcc
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 12 March 2011 - 01:25 PM

I was able to get it to run in safe mode. See combofix log attached (I had to zip it). Thanks for your persistence.

Attached Files



#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:54 PM

Posted 12 March 2011 - 04:06 PM

Hi

Please run the following:


Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Ybsorcc

Ybsorcc
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 13 March 2011 - 02:18 AM

I've gone through each of your suggested steps. I've attached the logs from the three programs run. I noticed on the ESET it's indicating an issue with a utility I have registryreviver. I'll be interested in your thoughts.

Attached Files



#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:54 PM

Posted 13 March 2011 - 11:12 AM

Hi

I recommend uninstalling the Registry program. They can be harmful to your computer and they really aren't necessary.

Please do the following:

Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 24 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 24 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u24 with JavaFX 1 License Agreement". Click on Continue. The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u24-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT


Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT


Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 Ybsorcc

Ybsorcc
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 13 March 2011 - 01:10 PM

It took me a couple of times to get your sequence of steps followed properly, but I've done them and have attached the two log files.

Amazingly, the symptoms haven't reappeared for the last 24 hours. I had the computer on all night just to see if it would eventually slow down or freeze and it didn't. So, I'm hopefull the problem has been resolved. If I sound like I have any doubts it's because I can't figure out what in your process changed anything. I removed the Reviversoft utility as you suggested but I installed this utility after I started to experience the symptoms, so it doesn't seem like it would be the root cause issue.

Whenever I help someone fix a computer problem and they ask me, "so what is the problem", I usually say, "i don't know, because I've done a lot of things to try to resolve it, and i'm not sure which one fixed it, but if it no longer poses a problem, I recommend forgetting about it and move on". All the same, any idea what the root cause was :wink: ?

Once again, I want to thank you for your hanging in there on this problem and helping me get to a positive resolution.

All the best!

ybsorcc

Attached Files

  • Attached File  dds.zip   15.64KB   2 downloads

Edited by Ybsorcc, 13 March 2011 - 01:12 PM.


#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:54 PM

Posted 13 March 2011 - 01:46 PM

That's odd the DDS Log is still showing an MBR Infection:

Please do the following:

Earlier on ComboFix installed the Recovery Console. We're going to use that now.

Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
(you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)

Posted Image

Posted Image

When you get to the above screen, take note of the number that references your operating system.

If it's '1' like the picture above, type 1 and press Enter

Posted Image

Next type FIXMBR

Posted Image

If it ask if you're sure you want to write a new MBR, answer 'Y'

Then type EXIT to reboot the machine.


NEXT


re-run DDS and post a fresh log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:54 PM

Posted 25 March 2011 - 05:31 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users